From 87630a6583a0bc6d9b33aae1aa5a08eea765af24 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Sun, 20 Nov 2022 13:35:26 +0100 Subject: [PATCH] Do not allow Ghost access to limited visible user/org (#21849) (#21875) Backport of #21849 Co-authored-by: Lauris BH --- models/organization/org.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/models/organization/org.go b/models/organization/org.go index 0d4a5e337b6..6e70233bc38 100644 --- a/models/organization/org.go +++ b/models/organization/org.go @@ -448,8 +448,9 @@ func CountOrgs(opts FindOrgOptions) (int64, error) { // HasOrgOrUserVisible tells if the given user can see the given org or user func HasOrgOrUserVisible(ctx context.Context, orgOrUser, user *user_model.User) bool { - // Not SignedUser - if user == nil { + // If user is nil, it's an anonymous user/request. + // The Ghost user is handled like an anonymous user. + if user == nil || user.IsGhost() { return orgOrUser.Visibility == structs.VisibleTypePublic }